Two 10.0 severity Spinnaker vulns give attackers RCE and production access
2 days ago
- #Cloud Security
- #Spinnaker Vulnerabilities
- #RCE
- ZeroPath Research discovered two critical vulnerabilities in Spinnaker (CVE-2026-32604 and CVE-2026-32613) with 9.9 severity scores, allowing authenticated users to execute arbitrary code on Clouddriver and Echo servers.
- CVE-2026-32604 enables command injection via the GitJobExecutor.java in Clouddriver, exploiting unsanitized branch names in git commands to gain shell access and steal cloud credentials.
- CVE-2026-32613 exploits Spring Expression Language (SpEL) injection in Echo's ExpectedArtifactExpressionEvaluationPostProcessor, using StandardEvaluationContext to execute arbitrary code when triggering pipelines.
- Both vulnerabilities can be exploited through Gate's public API, and successful attacks allow pivoting to other services due to Spinnaker's perimeter-based trust model, where internal service-to-service communication lacks authentication.
- Mitigation steps include patching to the latest Spinnaker versions, storing secrets externally, restricting network access, configuring allowed-domains in clouddriver.yml, and implementing strong authentication and monitoring.